For HTTP-POST binding to when sending a response to SP the current behaviour is:
1) Sign the Response based on the signResponse (SP>Assertion Content >Post Response Signed) flag.
2) Always sign the Assertion.
This was based on original ``126.96.36.199 POST-Specific Processing Rules`` in SAML profiles spec saml-profiles-2.0-os.pdf states
Need to update behaviour in IDPSSOUtil.sendResponse() (POST-Binding) to
1) If signResponse = true sign the response and also sign the assertion only if signAssertion = true.
2) If signResponse = false the assertion must be signed (SP>Assertion Content > Artifact Response Signed)